tag:blogger.com,1999:blog-9518042.post4195529555962820402..comments2024-03-16T07:01:22.721-05:00Comments on Windows Incident Response: LinksUnknownnoreply@blogger.comBlogger7125tag:blogger.com,1999:blog-9518042.post-43064786205661859252015-03-12T09:39:44.711-05:002015-03-12T09:39:44.711-05:00Daniel,
Thanks for the comments...I greatly appre...Daniel,<br /><br />Thanks for the comments...I greatly appreciate your input and insight, particularly when it's combined with that from others...it's giving me a view into the topic that I don't usually have.<br /><br />I'm going to add some thoughts that may help in the near term...but these are all great thoughts that I'll not only try to incorporate into the presentation, but also include in the second edition of "Windows Registry Forensics". <br /><br />(Sidebar: see what I did there? I couldn't get any input into the book, and only got two submissions to the book contest, but asking about the presentation gives me some great stuff to include in the book...)<br /><br /><i>for those that cant attend the conference will you be sharing the presentation slides afterwards or doing blog posts based on the presentations?</i><br /><br /><br /><i>in regards to your question, i would like to see other methods of persistence in the registry that can be used besides the run keys. for example such as those used by poweliks and similar malware. i know you may have covered this in a blog post but for some who may not have seen it or aren't familiar with your blog may find it useful in the presentation.</i><br /><br />Again, I'm not saying that this isn't great input, because it is...but there are sources available...books, blogs, etc....for folks to develop a familiarity with the Registry beyond what they'd get in a one-hour presentation at a conference. <br /><br /><i>also how you can use artifacts in the registry to aid in identifying lateral movement, for example maybe showing some of your regripper plugins around rdp usage and explaining the significance of the keys.</i><br /><br /><a href="http://windowsir.blogspot.com/2013/07/howto-track-lateral-movement.html" rel="nofollow">Here</a> is a blog post that may be of value.<br /><br /><i>shellbags could also be a part of the presentation, perhaps an overview of how these are relevant in incident response in terms of reviewing what an attacker accessed via RDP after identifying suspicious login activity through sniper forensics.</i><br /><br />Good thought...I was planning to discuss ShellBags and their relevance.<br /><br /><i>and maybe briefly introduce the concept of sniper forensics as some may not know what it is and how registry analysis fits into this.</i><br /><br />Again, I only have an hour...Sniper Forensics has been around long enough that one really shouldn't have to keep bringing it up in presentations.<br /><br />Again, thanks...this is all great stuff.<br />H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-4203534254462707192015-03-12T09:03:24.067-05:002015-03-12T09:03:24.067-05:00Hi Harlan
for those that cant attend the conferenc...Hi Harlan<br />for those that cant attend the conference will you be sharing the presentation slides afterwards or doing blog posts based on the presentations?<br /><br />in regards to your question, i would like to see other methods of persistence in the registry that can be used besides the run keys. for example such as those used by poweliks and similar malware. i know you may have covered this in a blog post but for some who may not have seen it or aren't familiar with your blog may find it useful in the presentation.<br /><br />also how you can use artifacts in the registry to aid in identifying lateral movement, for example maybe showing some of your regripper plugins around rdp usage and explaining the significance of the keys.<br /><br />shellbags could also be a part of the presentation, perhaps an overview of how these are relevant in incident response in terms of reviewing what an attacker accessed via RDP after identifying suspicious login activity through sniper forensics.<br /><br />and maybe briefly introduce the concept of sniper forensics as some may not know what it is and how registry analysis fits into this.<br /><br />ill stop rambling but hopefully anything i wrote is of use.<br />43nsicbothttps://www.blogger.com/profile/10129306415286340173noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-5950966663698871052015-03-12T08:29:29.952-05:002015-03-12T08:29:29.952-05:00Jared,
Thanks for the comments.
As for your ques...Jared,<br /><br />Thanks for the comments.<br /><br /><i>As for your question, I think that many would benefit from a deep-dive discussion in to the NTUSER.dat hive and why it can be such a trove of information for investigating a suspect user profile.</i><br /><br />Great stuff, thanks.<br /><br />How do <b>you</b> currently engage with/analyze the NTUSER.DAT?<br /><br />Thanks.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-18397554406160932832015-03-12T08:26:46.532-05:002015-03-12T08:26:46.532-05:00Anonymous,
First, thanks for the comment.
...I...Anonymous,<br /><br />First, thanks for the comment. <br /><br /><i>...I'd like to see a high level overview of registry structure...</i><br /><br />Can you elaborate on this? I included a high level overview in the book <i>Windows Registry Forensics</i>, and such things are available online. Can you share what might be done to improve what's already out there?<br /><br /><i>...major differences between registries of different Windows versions...</i><br /><br />It's funny, I hear this question a lot, and not just with the Registry, but with respect to the Windows OSs as a whole. <br /><br />What I find most interesting is that if I talk about the commonalities, that looses a lot of folks. That is, if I talk about what's remained the same between different versions, I find that most folks seem to not really have that level of understanding...so I'm left wondering where I'll be if I talk about the differences.<br /><br />My question back to you, which will help me figure out how to address your request, is...how do <b>you</b> do Registry analysis? What's <b>your</b> process?<br /><br /><i>...and primary registry locations that contain evidence of activities examiners commonly want to know about. </i><br /><br />This is perhaps the hardest question to address...because I could give an 8 hr presentation on this topic, and never once mention a single key or value that someone in the audience "commonly wants to know about". Why is that? <br /><br />Here's an example...I don't do CP exams, but I have done exams where it's important to know what files (documents, images, etc.) a user accessed, and when. So there is some carry-over. However, I have talked to a lot of folks who do CP exams, and once they find the images, they're done; I've been told that some have no interest at all in the Registry contents. <br /><br />So, my question back to you is, what are the types of exams you usually conduct? What are the types of things that you "commonly want to know about"?<br /><br /><i>Maybe you could do an intro registry analysis presentation at another time.</i><br /><br />Again, thanks for your input and comments. I'm not saying it's not valuable, because it is...very much so. With only an hour available for a presentation, there's not a great deal of time to go into the basics, so I have to assume that folks attending the presentation have some knowledge of and experience with Registry analysis. <br /><br />Thanks.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-43499402097404774902015-03-12T08:18:13.740-05:002015-03-12T08:18:13.740-05:00As for your question, I think that many would bene...As for your question, I think that many would benefit from a deep-dive discussion in to the NTUSER.dat hive and why it can be such a trove of information for investigating a suspect user profile. Jared Greenhillnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-65067996872383167312015-03-12T08:08:12.288-05:002015-03-12T08:08:12.288-05:00With regards to the macro piece, there has been a ...With regards to the macro piece, there has been a lot of social engineering put into macro enabled office docs over the last year from both commodity/crime and advanced actor malware authors. As email is inspected harder, this is other avenue to bring badness to an individual or organization. I do think it's an interesting TTP change in that the reliance is now on social engineering to execute badness rather than the familiar exploitation based office docs (e.g. Embedded Shellcode).Jared Greenhillnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-11225821534043545702015-03-12T07:51:37.922-05:002015-03-12T07:51:37.922-05:00This is probably too basic for your intent, but be...This is probably too basic for your intent, but being new to host-based forensics, I'd like to see a high level overview of registry structure, major differences between registries of different Windows versions, and primary registry locations that contain evidence of activities examiners commonly want to know about. Maybe you could do an intro registry analysis presentation at another time. Anonymousnoreply@blogger.com